diff --git a/clusters/cl01tl/platform/gitea/Chart.yaml b/clusters/cl01tl/platform/gitea/Chart.yaml
index 5a11c23a1..867207ada 100644
--- a/clusters/cl01tl/platform/gitea/Chart.yaml
+++ b/clusters/cl01tl/platform/gitea/Chart.yaml
@@ -4,13 +4,18 @@ version: 1.0.0
 sources:
   - https://github.com/go-gitea/gitea
   - https://gitea.com/gitea/helm-chart
+  - https://github.com/cloudflare/cloudflared
   - https://github.com/alexlebens/helm-charts/charts/postgres-cluster
 dependencies:
   - name: gitea
     version: 10.1.4
     repository: https://dl.gitea.io/charts/
+  - name: cloudflared
+    alias: cloudflared
+    repository: http://alexlebens.github.io/helm-charts
+    version: 1.2.0
   - name: postgres-cluster
     alias: postgres-16-cluster
     version: 3.1.0
-    repository: http://alexlebens.github.io/helm-charts       
+    repository: http://alexlebens.github.io/helm-charts
 appVersion: "1.21.7"
diff --git a/clusters/cl01tl/platform/gitea/templates/external-secret.yaml b/clusters/cl01tl/platform/gitea/templates/external-secret.yaml
index f25147a85..3587d9f4b 100644
--- a/clusters/cl01tl/platform/gitea/templates/external-secret.yaml
+++ b/clusters/cl01tl/platform/gitea/templates/external-secret.yaml
@@ -4,7 +4,7 @@ metadata:
   name: gitea-admin-secret
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/name: gitea-admin-secret
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: web
@@ -18,14 +18,14 @@ spec:
       remoteRef:
         conversionStrategy: Default
         decodingStrategy: None
-        key: /gitea/auth/admin
+        key: /cl01tl/gitea/auth/admin
         metadataPolicy: None
-        property: username  
+        property: username
     - secretKey: password
       remoteRef:
         conversionStrategy: Default
         decodingStrategy: None
-        key: /gitea/auth/admin
+        key: /cl01tl/gitea/auth/admin
         metadataPolicy: None
         property: password
 
@@ -36,7 +36,7 @@ metadata:
   name: gitea-oidc-secret
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/name: gitea-oidc-secret
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: web
@@ -61,6 +61,31 @@ spec:
         metadataPolicy: None
         property: client
 
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: gitea-cloudflared-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: gitea-cloudflared-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: cf-tunnel-token
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cloudflare/tunnels/gitea
+        metadataPolicy: None
+        property: token
+
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
diff --git a/clusters/cl01tl/platform/gitea/values.yaml b/clusters/cl01tl/platform/gitea/values.yaml
index 768a94632..3145599e4 100644
--- a/clusters/cl01tl/platform/gitea/values.yaml
+++ b/clusters/cl01tl/platform/gitea/values.yaml
@@ -1,20 +1,6 @@
 gitea:
   ingress:
-    enabled: true
-    className: traefik
-    annotations:
-      traefik.ingress.kubernetes.io/router.entrypoints: websecure
-      traefik.ingress.kubernetes.io/router.tls: "true"
-      cert-manager.io/cluster-issuer: letsencrypt-issuer
-    hosts:
-      - host: gitea.alexlebens.net
-        paths:
-          - path: /
-            pathType: Prefix
-    tls:
-      - secretName: gitea-secret-tls
-        hosts:
-          - gitea.alexlebens.net
+    enabled: false
   gitea:
     admin:
       existingSecret: gitea-admin-secret
@@ -25,7 +11,7 @@ gitea:
     config:
       server:
         LANDING_PAGE: explore
-        ROOT_URL: https://gitea.alexlebens.net
+        ROOT_URL: https://gitea.alexlebens.dev
         ENABLE_PPROF: true
       webhook:
         ALLOWED_HOST_LIST: private
@@ -63,7 +49,7 @@ gitea:
       - name: Authentik
         provider: openidConnect
         existingSecret: gitea-oidc-secret
-        autoDiscoverUrl: "https://authentik.alexlebens.net/application/o/gitea/.well-known/openid-configuration"
+        autoDiscoverUrl: https://auth.alexlebens.dev/application/o/gitea/.well-known/openid-configuration
         iconUrl: https://goauthentik.io/img/icon.png
         scopes: "email profile"
   persistence:
@@ -76,6 +62,8 @@ gitea:
     enabled: true
     persistence:
       enabled: false
+cloudflared:
+  existingSecretName: gitea-cloudflared-secret      
 postgres-16-cluster:
   mode: standalone
   cluster: